CarePartners Will Now be Made to Pay. Somehow…

CarePartners didn’t seem to care about paying any ransom to a hacking group that stole their patients’ sensitive records 2 months ago, but now a malicious individual has decided to put the breached records up for sale on the underground market.

On June 18, 2018, CarePartners – an Ontario-based home care service provider – publicly disclosed that it had suffered a data breach where patient’s information was “inappropriately accessed”. One week before that disclosure, the attackers had contacted CarePartners and spelled out “ransom” terms but the victim was having none of it. And rightly so. Now though, the criminals have resorted to other means of monetizing the stolen data.

According to information obtained by Digiss LLC, over 200 Gigabytes of data is up for sale. This includes medical records of over 80,000 patients (from 2010 to 2018), personally identifiable information, medical supply order forms, discharge medical files, clients’ cardholder data (containing expiry dates and CVV) and so forth.

The “whole package”, as can be seen in the screenshots below, is being offered to interested buyers at 2.5 Bitcoins (about $16,500) by a cybercriminal who goes by the handle: SkySore. We were unable to determine whether this individual belongs to the group that originally compromised CarePartners network or not.

Much like in the case of other cyber attacks, the criminals gained the keys to the kingdom through successful exploitation of an age-old vulnerability. Unlike in the case of Sony and Hacking Team attacks where the attackers were simply motivated to embarrass their victims, this particular group hacked for profit but when the victim refused to pay, they decided to take their business elsewhere.

It is worth noting that this was not a Ransomware attack where the victim could have simply restored encrypted data and moved on. This is what I call Datanapping where the attacker steals the data and threatens to sell it to the highest bidder if the victim organization fails to pay certain amount of money.

Best practice is to NEVER PAY even though you will still be made to pay by suffering one or all of the following negative outcomes: reputation damage, depressed stock price, negative media attention, litigations or regulatory fines among others. There’s no guarantee that any organization breached and blackmailed in this manner would not suffer any of the aforementioned outcomes even if they paid the demanded ransom. Integrity is not an attribute to associate with cybercriminals therefore it’s fair to assume that they will always be happy to double dip.

Apparently aware that CarePartners could pay up to $500,000 CAD in regulatory fine should this be found to be a case of dereliction of duty (of care and diligence), the attackers claimedthat the breach was “completely avoidable”. According to them, a fix for the exploited vulnerability became available 2 years ago while none of the data lifted was encrypted at rest.

CarePartners, on its part, stated that it “takes safeguarding of personal health and financial information seriously”. Going by the attackers’ claim and evidence though, it would appear that it (CarePartners) failed to fulfill certain cyber hygiene practices. The Computer Emergency Response Team (CERT) division at Carnegie Mellon Software Engineering Institute came up with a baseline set of 11 cyber hygiene practices (see above) to help organizations defend themselves against common cyber attacks. Going by the hackers account, it is easy to see which of the baseline practices in the above image CarePartners failed to fulfill.

In 1789, Benjamin Franklin wrote that “in this world nothing can be said to be certain except death and taxes”. Well, cyber attack has now joined that list of certainties. That notwithstanding, if your organization is ever going to get breached, be sure to limit the impact by adhering religiously to basic cyber hygiene practices. According to a very credible study conducted by the Ponemon Institute in 2016 (flipping the economics of attacks), most (60%) cyber attackers move on to softer targets after about 40 hours of unsuccessful, repeated attempts to breach an organization’s cyber defense.

This incident, like others before and after it, is a stark reminder of what could happen when stakeholders within an organization fail to pull their weights appropriately. Cyber security is everyone’s responsibility therefore when everyone pulls in the same direction, defeating the adversary becomes much easier.